This page documents the full list of events that are surfaced with the workspace audit logging feature. This list is subject to change, and more events will be added over time.
Audit logs follow version 1.7.0 of the Open Cybersecurity Schema Framework (OCSF), a standardized, platform-agnostic schema designed for security event data.
Event List
This list contains all of the events that are currently available; events are uniquely identified by their numeric activity_id and their activity_name. Each event also belongs to a specific class (identified by the class_uid and class_name), and classes are grouped into different categories.
For more information on the data contained within each event, you can refer to the linked documentation on the OCSF website to see the full schema for each class, as well as the list of common properties and examples for some Read-specific details further below.
class_uid |
class_name |
activity_id |
activity_name |
Trigger Description |
|---|---|---|---|---|
3001 |
2 |
Enable |
User account reactivated |
|
3001 |
4 |
Password Reset |
User password reset |
|
3001 |
5 |
Disable |
User account deactivated |
|
3001 |
6 |
Delete |
User account deleted |
|
3001 |
99 |
Other |
User email verified |
|
3002 |
1 |
Logon |
User logs in |
|
3002 |
2 |
Logoff |
User logs out |
|
3005 |
1 |
Assign Privileges |
Session* access added for a user |
|
3005 |
2 |
Revoke Privileges |
Session* access revoked for a user |
|
3006 |
1 |
Assign Privileges |
Session* access created for a non-user entity (team/workspace) |
|
3006 |
2 |
Revoke Privileges |
Session* access deleted for a non-user entity (team/workspace) |
|
3006 |
3 |
Add User |
Member added to a workspace or team |
|
3006 |
4 |
Remove User |
Member removed from a workspace or team |
|
3006 |
99 |
Other |
Workspace or team invite created/deleted |
|
6001 |
1 |
Create |
Audit log sink created |
|
6001 |
3 |
Update |
Workspace, team, or user settings updated |
|
6002 |
1 |
Install |
Integration added |
|
6002 |
2 |
Remove |
Integration deleted |
|
6002 |
6 |
Enable |
Integration activated |
|
6002 |
7 |
Disable |
Integration disabled |
*Session refers to a specific meeting report.
Common Event Properties
Name |
Description |
OCSF Property |
|---|---|---|
Event ID |
A unique ULID tied to the specific log event |
|
Workspace ID |
The ID of the Read AI workspace the log event is tied to |
|
Timestamp |
A timestamp indicating when the event took place, to millisecond precision |
|
Event Type |
A label indicating the type of event, such as "Logon" or "Add User" (both a numeric ID and a string name) |
|
Actor |
The entity responsible for triggering the event. Usually a user_id, but may be Read AI itself for events that the system triggers automatically. Actor information is not available on Integration or email verification events, which are driven by Domain Events. |
|
User Email |
(when available) The primary email address of the user |
|
Actor Kind |
The type of Actor, typically User, but could be Admin, Workspace Owner, the Read AI system itself, or an API integration |
indicated via populated actor properties |
Target |
An ID representing the object being acted on, such as a session (meeting report) ID |
|
Target Kind |
The type of Target, for example Workspace, User, Session (meeting report), etc. |
|
Outcome |
Whether the action was allowed, denied, failed, or unknown |
|
Outcome Reason |
(optional) reason for the ‘outcome’, for example if an action was denied, this might contain an explanatory message. API calls that return 4XXs often include such a message. |
|
IP Address |
(when available) The IP address of the Actor |
|
User Agent |
(when available) The user-agent of the Actor |
|
Message |
A raw, free-text log message which provides additional context about the event |
Examples
Sign-in event ("Logon"):
{
"activity_id":1,
"activity_name":"Logon",
"actor":{
"user":{
"email_addr":"ada@read.ai",
"uid":"1234567890"
}
},
"auth_factors":[
{
"factor_type_id":0,
"provider":"read"
}
],
"category_name":"Identity & Access Management",
"category_uid":3,
"class_name":"Authentication",
"class_uid":3002,
"message":"Authentication login for user 1234567890",
"metadata":{
"product":{
"name":"Read AI"
},
"tenant_id":"01K820PAE0S32BVWXDFN5NZR1X",
"uid":"f296be4f-a404-49e2-8c0e-412712665bb7",
"version":"1.7.0"
},
"observables":[
{
"type":"IP Address",
"type_id":2,
"value":"123.123.123.123"
},
{
"type":"HTTP User-Agent",
"type_id":16,
"value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
}
],
"severity":"Low",
"severity_id":2,
"status":"Success",
"status_id":1,
"time":"2026-03-13T16:00:00.785969",
"type_uid":300201,
"user":{
"email_addr":"ada@read.ai",
"full_name":"Ada Aiken",
"uid":"1234567890"
}
}Sign-out event ("Logoff"):
{
"activity_id":2,
"activity_name":"Logoff",
"actor":{
"user":{
"email_addr":"ada@read.ai",
"uid":"1234567890"
}
},
"category_name":"Identity & Access Management",
"category_uid":3,
"class_name":"Authentication",
"class_uid":3002,
"message":"Authentication logout for user 1234567890",
"metadata":{
"product":{
"name":"Read AI"
},
"tenant_id":"01K820PAE0S32BVWXDFN5NZR1X",
"uid":"5ed946d0-ef7b-408c-b756-92638d0dc385",
"version":"1.7.0"
},
"observables":[
{
"type":"IP Address",
"type_id":2,
"value":"123.123.123.123"
},
{
"type":"HTTP User-Agent",
"type_id":16,
"value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
}
],
"severity":"Low",
"severity_id":2,
"status":"Success",
"status_id":1,
"time":"2026-03-10T18:51:32.033259",
"type_uid":300202,
"user":{
"email_addr":"ada@read.ai",
"full_name":"Ada Aiken",
"uid":"1234567890"
}
}